As the medical device industry grapples with increasingly stringent cybersecurity regulations, a new and rapidly approaching risk has moved from theoretical to imminent: quantum computing. Recent milestones from tech giants and government agencies signal that now is the time for medical device manufacturers (MDMs) to begin the transition to post-quantum cryptography (PQC).

In August 2024, the National Institute of Standards and Technology (NIST) published three new cryptographic standards — FIPS 203 (CRYSTALS-Kyber), FIPS 204 (CRYSTALS-Dilithium), and FIPS 205 (SPHINCS+) that are considered resistant to quantum attacks. This historic announcement, part of the multi-year NIST Post-Quantum Cryptography project, sets the foundation for a secure future and sets the direction for industry which cryptographic algorithms to implement.

At the same time, companies like Google and Microsoft are demonstrating just how fast we are approaching a post-quantum world:

• In December 2024, Google unveiled its “Willow” chip, indicating that commercial quantum computers are within our near future.
• By November 2024, Chrome browser users will receive standardized PQC protection as part of routine updates.
• In February 2025, Microsoft revealed “Majorana 1,” a quantum processor powered by topological qubits — an engineering leap toward practical quantum computing.

The future isn’t distant. It’s happening now.

The Role of Cryptography in Medical Devices

Cryptography is foundational to medical device cybersecurity, ensuring the confidentiality, integrity, and authenticity of patient data and device communications as well as ensuring device availability and patient safety. But as regulators increase their scrutiny, the spotlight is shifting beyond simple algorithm selection.

Many MDMs are still falling into critical traps:

• Relying on non-agile crypto libraries that can’t adapt to new standards such as required under PQC.
• Not ensuring security of cryptographic key provisioning, storage, and management.
• Reusing cryptographic keys across devices or for multiple functions.
• Failing to build out robust key lifecycle management, provisioning controls, or secure update pathways.

These issues have real consequences: we are aware of several recent FDA market submission rejections that were linked to cryptographic deficiencies — including use of outdated algorithms and lack of documentation around key management strategies and processes.

For context, NIST’s SP 800–57 and SP 800–175B provide critical guidance on cryptographic key management practices that are expected in secure systems — including medical devices.

Quantum Risks to Today’s Cryptography

Quantum computers leverage entirely new physics to solve problems that stump classical systems — most notably, they significantly reduced the time required for factoring of the elliptic curve discrete log calculations used by Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) encryption.

Once operational, quantum computers will be able to:

• Break RSA-2048 in hours using Shor’s Algorithm
• Invalidate ECC-based authentication and key exchanges, a mainstay in many medical devices today

NIST’s selection of Kyber and Dilithum for standardization reflects their resistance to these quantum attacks and their suitability for embedded applications.

FDA Cybersecurity Requirements & Post-Quantum Relevance

The FDA’s 2023 Premarket Cybersecurity Guidance requires MDMs to provide “reasonable assurance” that devices are protected throughout their lifecycle. This includes:

• Secure-by-design product development
• Threat modeling and risk mitigation strategies
• Cryptographic confidentiality, authentication and integrity protection
• Patchability and crypto agility throughout the product’s use

Additionally, under FD&C Act Section 524B, the FDA now has the legal authority to refuse device submissions that don’t meet cybersecurity expectations — especially if they contain deprecated cryptographic algorithms or lack evidence of forward-looking crypto planning.

With NIST committing to deprecate non-quantum-resistant cryptography by 2030, MDMs need to act now to avoid product delays, expensive redesigns, or long-term risk exposure.

Cryptographic Bill of Materials (CBOM) — A Regulatory Advantage

While Software Bills of Materials (SBOMs) are now common in submissions, CBOMs are emerging as a best practice to document:

• All cryptographic algorithms in use
• Key lengths, usage policies, and lifecycle expectations
• Post-quantum algorithm readiness and NIST alignment

As NIST PQC standards become mandatory, including a CBOM can streamline FDA submission reviews, simplify third-party audits, and provide internal engineering with a clear cryptographic inventory.

Challenges in PQC Implementation for Medical Devices

Transitioning to PQC is essential — but challenging, especially in resource-constrained devices.

Key implementation challenges include:

1. Increased computational load: Post-quantum algorithms have larger key sizes and require more intensive operations.
2. Compatibility with legacy systems: Many healthcare environments still rely on outdated infrastructure. PQC upgrades must integrate cleanly with existing platforms and communication protocols.
3. Long product lifecycles: Medical devices are expected to last 10+ years in the field, requiring forward compatibility in crypto-agility from the start.
4. Hardware constraints: Wearables, implants, and portable monitors have limited compute and battery capacity. Supporting PQC in such environments requires early architectural decisions.

How to Prepare for PQC in Medical Devices

To ensure regulatory success and patient safety in the quantum era, MDMs should:

• Assess and inventory existing cryptography: Identify RSA/ECC dependencies and prioritize replacements with NIST-approved PQC algorithms.
• Design for cryptographic agility: Implement modular crypto libraries that allow hot-swapping algorithms as standards evolve.
• Enable update mechanisms for crypto and keys: Ensure devices can receive secure cryptographic updates without requiring full hardware redesign.
• Collaborate with specialized partners: Work with experts in medical device cybersecurity to design, implement, and validate compliant cryptographic strategies.
• Document with CBOMs for regulatory alignment: Transparently disclose your cryptographic plan to regulators and supply chain partners.

Conclusion: Why 2025 is the Year to Act

The shift to post-quantum cryptography is no longer theoretical. Between NIST’s new standards, Google’s Chrome deployment, and Microsoft’s hardware breakthroughs, the countdown to quantum readiness has begun.

With the FDA enforcing cybersecurity requirements and NIST aiming to fully deprecate legacy algorithms by 2030, the time for proactive preparation is now.

MDMs that begin this transition today will not only ensure regulatory compliance, but also position themselves as leaders in protecting patient data and device integrity in the age of quantum computing.

Navigating the FDA submission process doesn’t have to be a daunting task. With Medcrypt’s experienced team by your side, you can streamline your submission preparation, prioritize cybersecurity remediation, and achieve program maturity. Our unique approach, coupled with a deep understanding of FDA expectations, ensures your medical devices are compliant and secure in an ever-evolving threat landscape. Trust Medcrypt to be your partner in achieving FDA cybersecurity readiness and ensuring the safety of your innovations.

Don’t know where to start? Start by taking our complimentary FDA Cybersecurity Filing Readiness Survey.

‍